Fraudsters Locate A New Frontier

Wayne Gattinella, CEO of DoubleVerify, will appear at AdExchanger's CleanAds I/O conference on June 3, an event addressing inventory quality and supply chain issues in the digital advertising ecosystem.

Because of the high demand for mobile location-based data, it’s a big opportunity for fraudsters looking to game geo-coordinates.

“With more money flowing to place-based advertising, the next life for fraud in mobile ad targeting is spoofing the actual location of the device in order to perceivably attract higher-value dollars looking for place-based targets,” said Wayne Gattinella, CEO of ad-quality verification vendor DoubleVerify.

Elizabeth Alcott, an account director at digital agency Isobar US, said that while she believes device spoofing is by no means running rampant, “in the long run, ads purchased based on [fraudulent] location data will result in reduced conversions, making location data much less valuable to advertisers.”

DoubleVerify’s Fraud Lab is in its sixth year, and while it primarily focuses on desktop display and video, mobile CPM increases will soon draw fraudulent tactics to that channel.

“Location data can be compromised in a number of places,” said Aaron Doades, VP of digital quality solutions at DoubleVerify. “If you are up to something nefarious, you can spoof a location very easily using a proxy or some other mechanism to make it look like you’re accessing the web from wherever it is you want to appear to be.”

If a publisher provides devices within an advertiser’s specified lat/long range, it passes that bid request through a daisy chain of ad networks. Sometimes that request gets routed to the open RTB market, said PlaceIQ’s VP of data science and technology, Jonathan Lenaghan, which might compromise geocodes, or the string of numbers that identifies a lat/long coordinate.

Because bids are typically higher when there is precise location metadata within the ad request, it becomes increasingly attractive for fraudsters to spoof.

“A bad actor may actually start truncating some of the digits in the lat/long code and should they notice that there are significantly fewer digits in the geocode, they’ll start adding random numbers to the end of the lat/long to make it look more precise,” Lenaghan explained.

And as long as sellers get paid on a per-impression basis, networks are incentivized to deliver as many impressions in as cost efficient a manner as possible, perpetuating the problem.

In some instances a bad actor could game device IDs at the publisher or network-intermediary level by rotating an ID quickly. By cycling through a series of IDs at a rapid pace, it may appear to the demand side that these are different devices. Only close examination of the metadata reveals it’s the same entity and/or location.

Lenaghan likened the issue to a game of whack-a-mole.

“A couple of years ago, all you had to look for was an abnormally large number of requests being sent by a given device ID, or a location being responsible for billions of requests per month,” he said. “It’s been fairly easy to filter out this type of bad traffic, but the methods the bad actors are using are getting increasingly sophisticated.”

So what does a marketer in want of clean, uncompromised lat/long data do?

Marketers ultimately want to know how their location data investments helped drive in-store foot traffic and sales, but many are starting at square one - first determining whether they, indeed, reached a real human on the right device in the proper place.

Should an organization lack the resources to deploy an in-house team of experts to monitor metadata associated with location-based bids, cross-referencing these targets with alternative sets of data can help mitigate the issue.

According to Doades, marketers should reconsider complex conversion metrics or, in the case of mobile apps, going beyond the CPM or cost per install.

“Fraudsters will do a lot of things, but they won’t do things that are unprofitable for them,” he said. “When you go back to display and desktop and even mobile, fraudsters won’t be [transacting] because it doesn’t make sense. If they only get a few pennies to steal some impressions, they’re not going to go spend $30 on an ecommerce site.”

Thus, cross-referencing location data with first-party data is a good strategy, as long as things check out on the back end.

For example, in the case of cross-checking mobile app installs, if a marketer pays per install but fails to look seven or 30 days down the line to determine app usage or user retention, it’s incredibly lucrative for fraudsters to inflate downloads when click-based metrics are all that’s measured.

“You might have these big chunks of outliers where it looks like they installed, but never used the app again, when you would expect the average user to be active for 28 days or something,” Doades said. This is an example of where a marketer could use deeper conversion metrics and CRM to verify a finding.